diff --git a/services/arr/prowlarr.nix b/services/arr/prowlarr.nix
index 7561c87..fc2001f 100644
--- a/services/arr/prowlarr.nix
+++ b/services/arr/prowlarr.nix
@@ -11,6 +11,9 @@
       service_configs.prowlarr.dataDir
     ])
     (lib.vpnNamespaceOpenPort service_configs.ports.private.prowlarr.port "prowlarr")
+    (lib.serviceFilePerms "prowlarr" [
+      "Z ${service_configs.prowlarr.dataDir} 0700 prowlarr prowlarr"
+    ])
   ];
 
   services.prowlarr = {
@@ -19,6 +22,24 @@
     settings.server.port = service_configs.ports.private.prowlarr.port;
   };
 
+  # The upstream prowlarr module uses DynamicUser=true which is incompatible
+  # with ZFS-backed persistent storage — the dynamic user can't access files
+  # on the ZFS mount. Override with a static user to match sonarr/radarr.
+  users.users.prowlarr = {
+    isSystemUser = true;
+    group = "prowlarr";
+    home = service_configs.prowlarr.dataDir;
+  };
+  users.groups.prowlarr = { };
+
+  systemd.services.prowlarr.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "prowlarr";
+    Group = "prowlarr";
+    StateDirectory = lib.mkForce "";
+    ExecStart = lib.mkForce "${lib.getExe pkgs.prowlarr} -nobrowser -data=${service_configs.prowlarr.dataDir}";
+  };
+
   services.caddy.virtualHosts."prowlarr.${service_configs.https.domain}".extraConfig = ''
     import ${config.age.secrets.caddy_auth.path}
     reverse_proxy ${config.vpnNamespaces.wg.namespaceAddress}:${builtins.toString service_configs.ports.private.prowlarr.port}